Jun 28, 2013

A lot of what I've been blogging about lately has been to do with covering your ass from illegal government snooping. One of the big bombshells that broke recently was that the Department of Justice has issued warrants to all of the major phone companies to obtain all phone records for everyone in the United States.

Also, it has been reported on some news sites that the NSA is actively grabbing those phone conversations out of the air as well. So what is one to do about it?

Well, last year I talked about setting up your own secure VoIP server, but if you don't want to go through that sort of headache, and you are an Android or an iPhone user there is another solution. You can use RedPhone.

Jun 27, 2013

In a chilling, yet somehow unsurprising report I read on Monday it turns out that no matter how well you think you've locked down your Windows workstation or server, the NSA can still easily get into it. Why? Because Microsoft has been building backdoor's into their operating system since Windows 95.

The National Security Agency has backdoor access to all Windows software since the release of Windows 95, according to informed sources, a development which follows the insistence by the agency and federal law enforcement for backdoor “keys” to any encryption, according to a report in Joseph Farah’s G2 Bulletin.

Having such “keys” is essential for the export of any encryption allowed under U.S. export control laws to foreign users.

...Computer security specialists say that the Windows software driver used for security and encryption functions contains unusual features which give NSA that backdoor access.

These security specialists have identified the driver as ADVAPI.DLL. It enables and controls a variety of security functions. These specialists say that on Windows, it is located at C:\Windows\system directory of anyone’s computer that uses Windows software.

Nicko van Someren says the driver contains two different keys. One was used by Microsoft to control cryptographic functions in Windows while another initially remained a mystery.

Then, two weeks ago, a U.S. security firm concluded that the second key belonged to NSA. Analysis of the driver revealed that one was labeled KEY while the other was labeled NSAKEY, according to sources. The NSA key apparently had been built into the software by Microsoft, which Microsoft sources don’t deny.

Also it is now known that with the PRISM system that Google and Apple have also given the NSA access to your "free" email. It is probably a safe bet that if you are using a computer running Apple's OSX, or Google's Chrome OS, that the NSA has a backdoor into those as well.

I recommend switching over to Bauer-Puntu Linux. It's open source, and built on Xubuntu. If you can read code, you can download the source for Xubuntu yourself to see if there's a backdoor. It also comes pre-installed with different encryption and privacy options to keep the NSA off your back.

Jun 26, 2013

Again with my anti-NSA server... This time I had to figure out how to back it up. Now Linode.com, where I am hosting it, does have a backup solution for an extra $100 per month... Um, no thanks.

Normally for a Linux server I run a script to compress certain directories into a tarball, then I download them later to my backup server to write to tape. Since all my emails on my new email server are stored in an encrypted volume, I wanted to make sure that the files that were stored in the encrypted volume could be backed up in an encrypted tarball that I could download later. That way if someone were to seize my server, the encrypted volume wouldn't be mounted and the backup files would be encrypted as well.

Well there is a handy utility that you can pipe tar into that will do just that, and it's called ccrypt. To install it on Ubuntu just run:

sudo apt-get install ccrypt

Now to automate the encryption you need to store you encryption passphrase in a text file. I stored mine in a hidden file called .passkey which is kept in my encrypted volume. That way if the server is rebooted, the .passkey file is safe. For this article, let's say that passkey is stored in /var/encrypted.

Jun 25, 2013

Still on the kick of talking about my new anti-NSA email server, I wanted to tell you about monitoring it. I found a public service that lets me keep an eye on my email server 24/7 in five minute intervals all for free.

It's called UptimeRobot. I used to use Monitor.us, but their free service only checks if your server is up every 30 minutes. A server could easily be rebooted during that time and you would never know. With UptimeRobot, it checks on whatever service you want every five minutes.

Plus it can notify you in several ways including Email, SMS, RSS or Twitter. That is particularly handy if the thing you are monitoring is an email server like me, and you need an alternative way to be notified.

The free version allows you to monitor up to 50 sites or services. You can monitor they with HTTP/HTTPS, Ping or specifying a TCP port. You can also supply login credentials if the service you are checking requires a login.

What do you use to monitor your websites or public servers? Is it free? Let us know what you use in the comments.

Jun 24, 2013

I've already mentioned that I have moved off of Google Apps for my email onto my own email server running on Linux using iRedmail. One of the components that comes with the iRedmail package is a really bad-ass utility that acts as a one application army for combating hackers who are trying to gain access to your Linux server.

The tool is called Fail2Ban, and it works along side your iptables firewall by actively scanning your server's logs for suspicious activity, and automatically creating firewall rules to thwart the attacker.

From their page:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

It works so good in fact, that when I setup a monitor for my webmail page that pings the site every five minutes, Fail2Ban thought it was suspicious and blocked them. I had to add their IP's to the Fail2Ban ignore list to get monitoring to work again.

Do you use Fail2Ban? Do you know of something better? Let us know in the comment.

Jun 21, 2013

NOTE: TrueCrypt is obsolete. I recommend using VeraCrypt for this setup instead.

I like many people got upset when they heard the news about the NSA's PRISM program. It's one of the reasons I added a number of encryption programs to Bauer-Puntu Linux. One of the things that I've thought about doing for a while though was to move my email off of Google Apps.

Sure, I knew that the NSA had been sucking up everything on the Internet since I found out about their Stellar Wind program, but I was rather shocked to learn about PRISM, and how the NSA basically has direct access to the big name email providers like Google, Yahoo and Microsoft. Even if they didn't though there are at least two other inherent privacy concerns with using a third party email provider.

For one, they have full access to your email and often sell your personal information to marketers. When you are using a free service like Gmail, you are not the customer... You are the product being sold.

More scary than that though is that if the government wants access to your email on a third party email provider, they don't need a warrant. All they need to do is serve the provider with a National Security Letter, and they don't have to notify you, and the email provider is legally gagged from telling you. Nice right?

So in an effort to combat this blatant violation of privacy and the 4th Amendment, I decided to run my own email server. Now if they want my email, technically they need to serve me a warrant. The caveat with my situation though is that I am hosting my email on a Linux VPS (Virtual Private Server) through Linode.com.

Because I'm using a VPS, there is also a risk that the government could demand access to my server from the VPS provider without telling me. That's where the gist of this post comes in!

So because I am using a VPS, I was not able to do the install of Ubuntu myself and encrypt the entire server. I had to take the template they gave me. So I opened a ticket with support and asked them a few questions:

Does Linode have root access, or a backdoor account to my VPS?

Does Linode have the ability to reset the root password on my VPS?

Their answers were no and yes respectively. However if they need to reset the root password, they have to shutdown the VPS, and go into recovery mode. So encryption that doesn't automatically mount at boot up would work to protect my information from being taken by the feds without a warrant (and a decryption password is protected by the 5th Amendment).

Like I said though, the VPS templates don't use encryption, so you have to set it up yourself, and I found a way... Using Truecrypt for Linux!

Since everything is done in a terminal on a Linux server, you have to get savvy with the terminal commands of Truecrypt. For instance, you can create a Truecrypt volume by running the following:

truecrypt -c secret.tc

That will create an encrypted volume file called secret.tc.

On my server, the email store is located in /var/vmail, so what I did was backed up all the files and folders in there, removed them, then I used Truecrypt to mount my encrypted volume to /var/vmail by running:

truecrypt --mount /secret/secret.tc /var/vmail

I then copied the files back to /var/vmail and reset permissions.

I put the mounting command into a little script that I can manually run after a reboot so I have to manually put in my decryption password and key file information, then the script restarts my email services and my email server is ready to go!

Now if for some reason the feds order Linode to shutdown my VPS, reset the root password and give them access they won't be able to access my email because it's not mounted automatically. Now they have to come see me with a warrant. Once again, encryption keys are protected by the 5th Amendment!

Small price to pay to make sure the government doesn't violate my rights I think.

Sure, Ubuntu has the ability to encrypt folders, but once the feds have root access after a password reset they can decrypt the folders easily. With Truecrypt it is a little harder to break in my opinion. If they want to access my email without a warrant or notification now, they will have to try and bruteforce my Truecrypt volume.

Can they do it? With government supercomputers? Probably. I, however won't make it easy for them. Besides, according to NSA whistleblower Edward Snowden, encryption is effective in protecting your information from government snooping as long as you have good endpoint security.

What do you think about this? Overkill? Are you going to do something similar? Sound off in the comments.

Jun 19, 2013

Last Saturday I wanted to test the latest edition of Bauer-Puntu on my laptop at home. Normally I would have just wiped my laptop without a second though and installed Bauer-Puntu. The problem this time is that my wife has commandeered my laptop, and it is running Windows 8.

I can't just wipe it or she'll be pissed. No, I needed to backup the whole thing to an external drive so I can restore it after I was done testing.

In Windows 7 I would just go into Backup and Restore in the control panel, but that is missing in Windows 8. So where did they put it? You won't believe this cap, but they placed it in an area called Windows 7 File Recovery.

Anyway, once you go in there you can create a system image like you did in Windows 7 by clicking on Create A System Image and following the wizard.

Does anyone know why Microsoft needs to change things for the sake of change? Let me know in the comments.

Jun 17, 2013

Well I finally got it done. I finished up Bauer-Puntu 13.04. This time I decided to cut out a lot of the stuff I don't really use. stuff like Metasploit, SET, and some other hacking tools. If you want to do some serious pentesting, Bauer-Puntu really isn't for you. If you want to do that, I suggest downloading BackTrack.

Bauer-Puntu is still cool though. I mean, I am a Systems Engineer by trade, and therefore I decided to keep the stuff I do use quite a bit. Stuff like chntpw to reset local administrator passwords in Windows, as well as a number of encryption tools to keep the NSA and the FBI from snooping on you, or at the very least, keep them guessing a little bit. I also kept stuff like GParted for offline disk re-sizing, and some other stuff as well.

Also, I brought back Cairo-Dock. I tried installing Cinnamon again this time, but it kept crashing for some reason so I scrapped it. I also built it using Xubuntu, so the window manager is XFCE, and should be rather light.

There were some quirks this go around. For one, I had to install GDM instead of LightDM because there was a bug where you couldn't modify the wallpaper of the login screen. Also, since I build this using VirtualBox, I had to manually create a custom.conf file and slip it into the /etc/gdm directory while Remastersys was building. Otherwise the live CD wouldn't auto-login. Finally, I had to jump in and remove vboxadd user from the tmpusers file in the Remastersys build directory as well before the ISO was generated. Not sure why that was being added in...